NHSDigital
diff --git a/‎backend/src/fhir_controller.py‎
Lines changed: 47 additions & 14 deletions b/‎backend/src/fhir_controller.py‎
Lines changed: 47 additions & 14 deletions
diff --git a/‎backend/src/fhir_repository.py‎
Lines changed: 43 additions & 10 deletions b/‎backend/src/fhir_repository.py‎
Lines changed: 43 additions & 10 deletions
diff --git a/‎backend/src/fhir_service.py‎
Lines changed: 1 addition & 1 deletion b/‎backend/src/fhir_service.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/tests/sample_data/permissions_config.py‎ b/‎backend/tests/sample_data/permissions_config.py‎
@@ -271,8 +271,10 @@ def update_immunization(self, aws_event):
 
         # Check vaccine type permissions on the existing record - start
         try:
-            vax_type_perms = self._parse_vaccine_permissions_controller(imms_vax_type_perms)
+            vax_type_perms = self._expand_permissions(imms_vax_type_perms)
+            print(f"vax_type_perms: {vax_type_perms}, imms_vax_type_perms: {imms_vax_type_perms}")
             vax_type_perm = self._vaccine_permission(existing_record["VaccineType"], "update")
+            print(f"vax_type_perm(operation_perms): {vax_type_perm}, is subset of vax_type_perms (imms_vax): {vax_type_perms}")
             self._check_permission(vax_type_perm, vax_type_perms)
         except UnauthorizedVaxOnRecordError as unauthorized:
             return self.create_response(403, unauthorized.to_operation_outcome())
@@ -333,6 +335,7 @@ def update_immunization(self, aws_event):
 
                 # Check if the record is reinstated record - start
                 if existing_record["Reinstated"] == True:
+                    print(f"imms_params_reinstate: {imms_vax_type_perms}, supplier_system: {supplier_system}")
                     outcome, resource = self.fhir_service.update_reinstated_immunization(
                         imms_id,
                         imms,
@@ -341,6 +344,7 @@ def update_immunization(self, aws_event):
                         supplier_system
                     )
                 else:
+                    print(f"imms_params: {imms_vax_type_perms}, supplier_system: {supplier_system}")
                     outcome, resource = self.fhir_service.update_immunization(
                         imms_id,
                         imms,
@@ -428,8 +432,9 @@ def search_immunizations(self, aws_event: APIGatewayProxyEventV1) -> dict:
             return self.create_response(403, unauthorized.to_operation_outcome())
         # Check vaxx type permissions on the existing record - start
         try:
-            vax_type_perms = self._parse_vaccine_permissions_controller(imms_vax_type_perms)
+            vax_type_perms = self._expand_permissions(imms_vax_type_perms)
             vax_type_perm = self._new_vaccine_request(search_params.immunization_targets, "search", vax_type_perms)
+            print(f"vax_type_perm: {vax_type_perm}, vax_type_perms: {vax_type_perms}")
             if not vax_type_perm:
                 raise UnauthorizedVaxError
         except UnauthorizedVaxError as unauthorized:
@@ -661,29 +666,48 @@ def create_response(status_code, body=None, headers=None):
             **({"body": body} if body else {}),
         }
 
-    @staticmethod
-    def _sendack(payload, file_name, message_id, created_at_formatted_string, local_id, operation_requested):
-        payload["file_key"] = file_name
-        payload["row_id"] = message_id
-        payload["created_at_formatted_string"] = created_at_formatted_string
-        payload["local_id"] = local_id
-        payload["operation_requested"] = operation_requested
-        sqs_client.send_message(QueueUrl=queue_url, MessageBody=json.dumps(payload), MessageGroupId=file_name)
-
     @staticmethod
     def _vaccine_permission(vaccine_type, operation) -> set:
+        mapped_operations = {
+            "create": "c",
+            "read": "r",
+            "update": "u",
+            "delete": "d",
+            "search": "s"
+        }
+
+        operation = mapped_operations.get(operation.lower())
+        if not operation:
+            raise ValueError(f"Unsupported operation: {operation}")
+
         vaccine_permission = set()
         if isinstance(vaccine_type, list):
             for x in vaccine_type:
-                vaccine_permission.add(str.lower(f"{x}:{operation}"))
+                vaccine_permission.add(str.lower(f"{x}.{operation}"))
             return vaccine_permission
         else:
-            vaccine_permission.add(str.lower(f"{vaccine_type}:{operation}"))
+            vaccine_permission.add(str.lower(f"{vaccine_type}.{operation}"))
             return vaccine_permission
 
     @staticmethod
     def _parse_vaccine_permissions_controller(imms_vax_type_perms) -> set:
         return {str(s).strip().lower() for s in imms_vax_type_perms}
+    
+    @staticmethod
+    def _expand_permissions(supplier_permissions: list[str]) -> set[str]:
+        expanded = set()
+        for permissions in supplier_permissions:
+            if '.' not in permissions:
+                continue  # skip invalid format
+        vaccineType, allowed_operations = permissions.split('.', 1)
+        print(f"Vax_type: {vaccineType}, Ops: {allowed_operations}")
+        vaccineType = vaccineType.lower()
+        for operation in allowed_operations.lower():
+            if operation not in {'c', 'r', 'u', 'd', 's'}:
+                raise ValueError(f"Unknown operation code: {operation} in a permission {permissions}")
+            expanded.add(f"{vaccineType}.{operation}")
+        print(f"Expanded permissions: {expanded}")
+        return expanded
 
     @staticmethod
     def _check_permission(requested: set, allowed: set) -> set:
@@ -694,11 +718,20 @@ def _check_permission(requested: set, allowed: set) -> set:
 
     @staticmethod
     def _new_vaccine_request(vaccine_type, operation, vaccine_type_permissions: None) -> Optional[list]:
+        mapped_operations = {
+            "create": "c",
+            "read": "r",
+            "update": "u",
+            "delete": "d",
+            "search": "s"
+        }
+
+        operation = mapped_operations.get(operation.lower())
         vaccine_permission = list()
         if isinstance(vaccine_type, list):
             for x in vaccine_type:
                 vaccs_prms = set()
-                vaccs_prms.add(str.lower(f"{x}:{operation}"))
+                vaccs_prms.add(str.lower(f"{x}.{operation}"))
                 if vaccs_prms.issubset(vaccine_type_permissions):
                     vaccine_permission.append(x)
             return vaccine_permission
 
@@ -85,7 +85,7 @@ def __init__(self, table: Table):
         self.table = table
 
     def get_immunization_by_identifier(
-        self, identifier_pk: str, imms_vax_type_perms: str
+        self, identifier_pk: str, imms_vax_type_perms: list[str]
     ) -> Optional[dict]:
         response = self.table.query(
             IndexName="IdentifierGSI", KeyConditionExpression=Key("IdentifierPK").eq(identifier_pk)
@@ -94,7 +94,7 @@ def get_immunization_by_identifier(
             item = response["Items"][0]
             resp = dict()
             vaccine_type = self._vaccine_type(item["PatientSK"])
-            vax_type_perms = self._parse_vaccine_permissions(imms_vax_type_perms)
+            vax_type_perms = self._expand_permissions(imms_vax_type_perms)
             vax_type_perm = self._vaccine_permission(vaccine_type, "search")
             self._check_permission(vax_type_perm, vax_type_perms)
             resource = json.loads(item["Resource"])
@@ -112,7 +112,7 @@ def get_immunization_by_id(self, imms_id: str, imms_vax_type_perms: str) -> Opti
             if "DeletedAt" in response["Item"]:
                 if response["Item"]["DeletedAt"] == "reinstated":
                     vaccine_type = self._vaccine_type(response["Item"]["PatientSK"])
-                    vax_type_perms = self._parse_vaccine_permissions(imms_vax_type_perms)
+                    vax_type_perms = self._expand_permissions(imms_vax_type_perms)
                     vax_type_perm = self._vaccine_permission(vaccine_type, "read")
                     self._check_permission(vax_type_perm, vax_type_perms)
                     resp["Resource"] = json.loads(response["Item"]["Resource"])
@@ -122,7 +122,7 @@ def get_immunization_by_id(self, imms_id: str, imms_vax_type_perms: str) -> Opti
                     return None
             else:
                 vaccine_type = self._vaccine_type(response["Item"]["PatientSK"])
-                vax_type_perms = self._parse_vaccine_permissions(imms_vax_type_perms)
+                vax_type_perms = self._expand_permissions(imms_vax_type_perms)
                 vax_type_perm = self._vaccine_permission(vaccine_type, "read")
                 self._check_permission(vax_type_perm, vax_type_perms)
                 resp["Resource"] = json.loads(response["Item"]["Resource"])
@@ -170,7 +170,7 @@ def create_immunization(
         new_id = str(uuid.uuid4())
         immunization["id"] = new_id
         attr = RecordAttributes(immunization, patient)
-        vax_type_perms = self._parse_vaccine_permissions(imms_vax_type_perms)
+        vax_type_perms = self._expand_permissions(imms_vax_type_perms)
         vax_type_perm = self._vaccine_permission(attr.vaccine_type, "create")
         self._check_permission(vax_type_perm, vax_type_perms)
         query_response = _query_identifier(self.table, "IdentifierGSI", "IdentifierPK", attr.identifier)
@@ -273,7 +273,7 @@ def update_reinstated_immunization(
         )
 
     def _handle_permissions(self, imms_vax_type_perms: str, attr: RecordAttributes):
-        vax_type_perms = self._parse_vaccine_permissions(imms_vax_type_perms)
+        vax_type_perms = self._expand_permissions(imms_vax_type_perms)
         vax_type_perm = self._vaccine_permission(attr.vaccine_type, "update")
         self._check_permission(vax_type_perm, vax_type_perms)
 
@@ -370,12 +370,12 @@ def delete_immunization(
                 if "DeletedAt" in resp["Item"]:
                     if resp["Item"]["DeletedAt"] == "reinstated":
                         vaccine_type = self._vaccine_type(resp["Item"]["PatientSK"])
-                        vax_type_perms = self._parse_vaccine_permissions(imms_vax_type_perms)
+                        vax_type_perms = self._expand_permissions(imms_vax_type_perms)
                         vax_type_perm = self._vaccine_permission(vaccine_type, "delete")
                         self._check_permission(vax_type_perm, vax_type_perms)
                 else:
                     vaccine_type = self._vaccine_type(resp["Item"]["PatientSK"])
-                    vax_type_perms = self._parse_vaccine_permissions(imms_vax_type_perms)
+                    vax_type_perms = self._expand_permissions(imms_vax_type_perms)
                     vax_type_perm = self._vaccine_permission(vaccine_type, "delete")
                     self._check_permission(vax_type_perm, vax_type_perms)
 
@@ -432,9 +432,26 @@ def _handle_dynamo_response(response):
 
     @staticmethod
     def _vaccine_permission(vaccine_type, operation) -> set:
+        mapped_operations = {
+            "create": "c",
+            "read": "r",
+            "update": "u",
+            "delete": "d",
+            "search": "s"
+        }
+
+        operation = mapped_operations.get(operation.lower())
+        if not operation:
+            raise ValueError(f"Unsupported operation: {operation}")
+
         vaccine_permission = set()
-        vaccine_permission.add(str.lower(f"{vaccine_type}:{operation}"))
-        return vaccine_permission
+        if isinstance(vaccine_type, list):
+            for x in vaccine_type:
+                vaccine_permission.add(str.lower(f"{x}.{operation}"))
+            return vaccine_permission
+        else:
+            vaccine_permission.add(str.lower(f"{vaccine_type}.{operation}"))
+            return vaccine_permission
 
     @staticmethod
     def _parse_vaccine_permissions(imms_vax_type_perms) -> set:
@@ -443,6 +460,22 @@ def _parse_vaccine_permissions(imms_vax_type_perms) -> set:
         for s in parsed:
             vaccine_permissions.add(s)
         return vaccine_permissions
+    
+    @staticmethod
+    def _expand_permissions(supplier_permissions: list[str]) -> set[str]:
+        expanded = set()
+        for permissions in supplier_permissions:
+            if '.' not in permissions:
+                continue  # skip invalid format
+        vaccineType, allowed_operations = permissions.split('.', 1)
+        print(f"Vax_type: {vaccineType}, Ops: {allowed_operations}")
+        vaccineType = vaccineType.lower()
+        for operation in allowed_operations.lower():
+            if operation not in {'c', 'r', 'u', 'd', 's'}:
+                raise ValueError(f"Unknown operation code: {operation} in a permission {permissions}")
+            expanded.add(f"{vaccineType}.{operation}")
+        print(f"Expanded permissions: {expanded}")
+        return expanded
 
     @staticmethod
     def _check_permission(requested: set, allowed: set) -> set:
 
@@ -131,7 +131,7 @@ def update_immunization(
         imms_id: str,
         immunization: dict,
         existing_resource_version: int,
-        imms_vax_type_perms: str,
+        imms_vax_type_perms: list[str],
         supplier_system: str,
     ) -> tuple[UpdateOutcome, Immunization]:
         immunization["id"] = imms_id